After recently moving all our server infrastructure offsite, our firewall needs in our corporate office have been simplified: establish VPN tunnels to our datacenters, block all public incoming traffic, selectively block outgoing public traffic. Since this seemed like overkill for the ASA5520 pair we had, and we needed a new router anyway, on Cisco's advice we opted for a 3845 with the SEC/K9 package and sent the 5520s to the new offiste datacenter.
The VPN tunnels are now of ciritcal importance, as all corporate-office access to the servers is via VPN. We've added a second ISP at the corporate office, and coordinated BGP peering between the two. The primary ISP gave us a public class C block and both providers advertise our ASN. No problem there.
Right now, we're using a borrowed ASA 5510 behind the 3845 to act as a firewall and VPN endpoint. The 5510 has a private address on the inside port, and one address from our class C block on the outside port, and uses the 3845 as the default gateway. Again, a pretty standard configuration. Our desired configuration is to eliminate the 5510 and have the 3845 provide firewalling and NAT for our private internal address space. Our core switch will connect to the inside port of the 3845, which will then apply address translation and traffic rules.
Because of the peered ISPs and BGP, our public class C subnet can't be on any of the physical ports. It would seem that the public class C needs to be on some kind of virtual interface, so that it's routable via both ISPs, and we can directly connect private-subnet hosts to the inside port.
I'm having no success finding any kind of sample case for this configuration. I'm pretty proficient with the ASAs, but am pretty creaky with the ISRs, so I need something as the basis for an initial setup.
If there's a better sub-forum in which to post this question, please let me know. I posed here because it seemed that establishing the security config would be harder than the routing config.